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SECURITY OF AN INDUSTRIAL SYSTEM 


Abstract 


by 
MELVIN HUGH SOLLBERGER 


The control of security for an industrial system demands an 
understanding of the causes and effects of disruptive structural dis- 
turbances, called contingencies. To reduce the effect of these dis- 
turbances one can implement contingency control, contingency preven- 
tion and contingency planning. Implementation requires the definition 
and classification of system constraints. Once classified as either 
an operating constraint or a load constraint, security with respect 
to a given contingency can be determined. Based on these constraints, 
the modes of operation are partitioned into sets which are indicative 
of the security control actions required prior to, during and after 
a system emergency. Of particular interest are the actions required 
prior to a system emergency, because here it is possible to exercise 
contingency control, that is, to alter the security of the system to 
make it less susceptible to certain contingencies. Contingency 
control has been formulated as a constrained optimization problem in 
which the imposition (relaxation) of security constraints increases 
(decreases) the security of the system. Security control is univer- 


sally applicable to all industrial systems. Yet the degree of 
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implementation depends upon the flexibility of the system and 
desirability (based upon the trade-off between performance and 


security). 
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CHAPTER J 


INTRODUCTION 


Historically, system security has always been a major con- 
cern of design engineers, system operators, and management personnel. 
Yet this concern has not resulted in a comprehensive understanding 
of system security. The emphasis in the past has been directed 
in many BERS such as: understanding and designing reliable 
systems, providing alternatives and system redundancies to allow 
compensation for certain disruptive disturbances, designing inter- 
locks and prevention systems to prevent the occurance of certain 
catastrophic events, designing automatic protection devices to 
place the system in a safe condition after certain events occur, . 
and training operators to evaluate and take action based upon the 
security ( or insecurity ) of the system. 

The research and literature on reliability is extensive and 
will not be reviewed in this dissertation. It concentrates on 
the calculation and/or estimation of reliability of the overall 
system based upon the reliability of individual components. It 
is more concerned with the probability of system failure, the 
measurement of individual reliability, and the mean time between 
failures than the secure operation of the system. 


Whether the system is reliable or unreliable, it will be 








subjected to some disturbances which will threaten the structure 
of the system. These disturbances are not subject to normal 
compensation. However, by providing alternatives and redundancies 
the system will be more flexible; and with this flexibility, a 
well-trained operator can use his knowledge of the system to 
operate it in a safe, reliable and secure manner. However, diffe- 
rent operators may operate the system differently, resulting in 
differing degrees of safety or security, and consequently different 
levels of performance. This means that both performance and 
security are variable and may depend solely upon operator ability. 
This becomes less acceptable as the systems become more complex 
and the rate of operator turnover increases. | 

_To imsure that certain catastrophic events can not occur or 
more often will not reoccur, certain designers specialize in 
preventing events by providing system interlocks. Some events can 
not be prevented with any degree of certainty and thus it is 
imperative to protect the system from damage when these events 
occur. The design of automatic protection devices is concerned 
with this problem. All of these design efforts are related and 
more important, they are related to the secure operation of the 
system. 

Recently at Case Western Reserve University, Tomas E. 
Dy-Liacco (12) took a new and different approach to system security. 


Using pattern recognition, a computer was programmed to assist the 








operator in determining whether or not an electrical power system 
was secure or insecure. Dy-Liacco's work implied the existance 
of concepts governing security control, which could be applied to 


other complex systems. 


The purpose of this dissertation is to develop a consoli- 
dated and coherent set of concepts for system security. These 
concepts must be the framework which relates the design efforts 
to secure operation of a system. More important is the deve- 
lopment of concepts which will guide the design of future control 
systems, capable of controlling the security of a system. These 
automated control systems must be capable of operating a complex 
system with the efficiency and the safety of the most experienced 
and best trained operator, yet with the repeatability of a digital 
computer. In order to design such a system, one must understand 
not only security but also the trade-off between security and 


system performance. 


The thesis has been separated into four sections, philosophy, 
examples, implementation and extensions. Chapters two and three 
provide the definitions, concepts and philosophy of security 
control. Then, chapters four and five present some general 
examples, illustrating the applicability of these concepts. 
Chapter six is concerned with an actual implementation of con- 


tingency control to a complex process. Chapter seven presents 





extensions and conclusions caused by (a) the application of security 


control and (b) the philosophical and conceptual development. 








CHAP TE Rasa 
THE CONCEPT OF SECURITY CONTROL 


In this chapter the concepts of security control will be pre- 
sented. This will include definitions and explanations of terms to 
be used in succeeding chapters, such as security, contingencies, 


constraints, modes of operation, and types of security control. 


Contingencies 

A contingency is a possible but not certain event or disturbance 
which is capable of changing the structure of a system; i.e., a 
disruptive structural disturbance. Since this disturbance .or event 
1s uncertain, there is a probability of occurance associated with 
each tontingency, and this probability will vary under differing 
conditions. 

One can consider contingencies to belong to one of two classes: 
environmentally dependent and environmentally independent contin- 
gencies. An environmentally dependent contingency requires a given 
environment before it is feasible. Without this environment or the 
Satisfaction of a given set of conditions, it is impossible for this 
contingency to occur. There may be more than one environment in 
which it can occur and the probability of occurance may vary from 
one environment to another. Other contingencies are environmentally 
independent, that is their probability of occurance is independent 


of the environment. In addition to requiring some environmental 








conditions, most contingencies are not isolated events but on the 
contrary belong to a sequence of events and will not occur unless 

the preceeding events have already occurred. Even if the environ- 
mental and the sequential conditions are satisfied, many contingen- 
cies still will not happen without initiation. The initiating 

action may be a very small disturbance. These three types of 
conditions can all be collected and expressed as a set of necessary 
conditions for the occurance of a contingency. The necessary 
conditions for an environmentally independent contingency are limited 
to the sequential and initiating conditions. 

A contingency can either occur very ease, OGOCEUGNOVEr 2 
period of timew If 1€ oceurs ever a perrodseot tame, then it may 
be possible to terminate the contingency before it disrupts the 
eyctem's structure. 

In order to fully understand contingencies one must consider 
what constitutes a disruption of the system's structure. If a 
system is composed of interconnected subsystems and some of the 
subsystems have more than one mode of operation, then the internal 
structure of the system can be altered by varying the modes of 
operation of the subsystems. In some processes the modes of 
operation may be simply operating within specifications or out of 
specification. In the simplest of cases each subsystem can be 
either operative or inoperative. In this case any disturbance 


which can cause a subsystem failure will change the mode of the 








subsystem from operative to inoperative and consequently change the 
internal structure of the overall system. In this case the contin- 
gencies would be the disturbances that can cause a subsystem to 
fail. In the more general case, in order to enumerate the contin- 
gencies, one must list the identifiable subsystems and all the modes 
of operation for each of these subsystems. There are various 
failures which can occur in a subsystem and thus change the mode of 
operation. The disturbances which cause these failures (total or 
partial) are the contingencies which can be considered for not only 
this subsystem but also for the overall system. The causes of the 
contingencies and the subsystem failure are one and the same. 

A fact of particular interest is that there are emer distur 
bances of lesser magnitude that do not result in a structural change, 
and there may be more than one contingency that results in the same 
Structural change. If there are several contingencies that result 
in the same structural change and these disturbances differ only in 
degree or magnitude, then one need only consider the disturbance 
having the least magnitude rather than the entire family of contin- 
gencies. This representative contingency is a critical or threshold 
disturbance. 

in order to appreciate the effect of contingencies on a system, 
let me consider a system S composed of interconnected subsystems. 
Some of the subsystems have more than one mode of operation. Thus, 


the internal structure of the system S can be varied by altering the 








modes of operation of the subsystems. One result of this variable 
structure is the input/out relations will vary with these changes 
in structure, causing S to appear as a time-varying system. 

The system S will not be functional. However, if one identifies 
the internal structure (topology) then one would expect to find a 
functional. representation associated with each topology. In the 
case of a static system, let the functional representation of this 
Static system be a vector function. Let the input vector be u 
(subscripted to denote different input vectors). Let the various 
internal structures (topologies) of the system S be denoted by T 
(subscripted to denote different topologies). Let the output 
vector be y (subscripted to denote different output vectors). For 


a peeorony 1 , and an input u., the output 1s Yij 


cL al £ uy, , i. ) 


This indicates that for the same input but different topologies, 
the output may differ. The system need not be static, however for 


Simplicity this static system will illustrate the pertinent concepts. 


Constraints 

One of the problems which arises is: after the internal struc- 
ture has been altered the system may no longer be able to satisfy 
the demands that are levied on the system. These demands can be 


expressed as restrictions or constraints that must be satisfied. 








Definition: A "constraint" is a restriction on the system 
variables. For simplicity assume that the 
constraint does not depend on the topology, 
then it can be expressed as: 


The constraints on a system can have many origins, such as safety, 
quality control, security, performance, operational and continuity 
requirements. However for the moment, consider the following two 
types of constraints: 
Definition: A "load constraint" is a constraint that 
results from performance requirements, such 
as the supply must equal demand; the supply 
must be greater than the demand; the demand 
(order) must be satisfied (filled) within a 
certain time interval; or the output must 
meet certain specifications. 
Failure to satisfy a load constraint does not jeopardize the system 
in any way, but results in customer dissatisfaction because the 
customer's demands (load) are not satisfied. Failure to satisfy a 
load constraint jeopardizes the goal of the system. 
Definition: An “operating constraint" is a constraint 
that results from an operational requirement, 
such as a system or component must be operated 
safely and/or continuously. 
Now if all the system constraints can either be classified as an 


operating or a load constraint, then the system and its constraints 


can be represented by: 


Ya3 iia a? i ) 
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where g iS a vector composed of the load and operating constraints. 


A Normal System 


Definition: A system is "normal'' if both the operating 
and load constraints are satisfied. 


Let qT; be one of the normal configurations for this system, 
that is 
itil cpa 
gCu,,yi,)< 0 
are satisfied. If a contingency that causes the topology to change 


to T, occurs, will the system still be normal? The system will be 


normal if and only if 
g(u;,yi.)< 0 
is satisfied. When a contingency occurs and the new topology results 


in an input/output relation that continues to satisfy the operating 


and load constraints then the system was secure. 


Security 
Definition: A system is ''secure'' with respect to a given 
contingency if the system is normal before and 
after the contingency has occured. 
Security need not be limited to a single contingency. On the 


contrary, a system can be said to be secure with respect to a set 


of contingencies if it is secure with respect to each contingency 








EL 


of that set. It 1s assumed that only one contingency of this set 
occurs during a given period of time; i.e., that period of time under 
consideration. The set of contingencies with respect to which the 
system must be individually secure is called "the set of next 
contingencies". For the purposes of security, cach contingency of 
"the set of next contingencies" is deemed to be imminent. Before 
considering more than one contingency, consider the case in which 
the "set of next contingencies" consists of a single contingency. 

In this case, consider the previous system equations and the load 


and operating constraints: 


Yi; ~ f Cu, ’ ut ) 


aCe) Bs) s 0 
If one of the normal modes of operation has a topology, T) , and the 
"set of next contingencies" consists of the contingency which causes 


the topology to change to T, , then in order to be secure with res- 


pect to this contingency the system must satisfy the following: 


[*h 


Lg Cu, , 7) 


| Fh 


( u. 


Yi2 1’? = 
CU Tea) Se 
g (Cu. , yi.) 0 

The first two equations will be ceed because they follow directly 


from the set of system equations. The first inequality will be 
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satisfied because Ty 1S a topology corresponding to a normal system. 


The second inequality is a security constraint. By restricting the 
System to those inputs and outputs which satisfy this inequality, 
one can insure it will not be violated. This will insure that the 
system will remain normal even if this contingency occurs. Note 


that only for this restricted set of inputs and outputs, T, is a 


topology corresponding to a normal System. The unrestricted set of 


inputs and outputs for this topology may not satisfy this constraint. 


Werinition: A "security constraint" is a constraint that 
results from security requirements, i.e., the 
desire to be secure with respect to a given 
contingency. 

It may be necessary to impose additional constraints ane Sys- 
tem, in order to insure that the system is secure with respect to 

a given contingency. If security were the only consideration, then 

one might try to select operating and load constraints that were at 

least as restrictive or more restrictive than the security constraints 
that are required by the "set of next contingencies". This set of 
constraints might result in an empty operating space; i.e., the only 
feasible operating condition is not operating at all. Even if the 
operating space is not empty, the system performance might be 
unacceptable when all of the security constraints are imposed. This 
introduces the very important concept of a trade-off between security 


and performance. By relaxing the security constraints, improved 


performance may be realized. By imposing security constraints, the 
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security is enhanced and the performance may suffer a degradation. 
How can one handle the selection of which constraints are to be 

relaxed and which constraints are to be imposed? As before, there 

is a set of next contingencies with respect to which the system must 

be secure. Thus the set of all possible contingencies can be divided 

into three subsets: those for which the system is always insecure, 

those for which the system is marginally secure (sometimes secure and 


sometimes insecure), and those for which the system is always secure. 


Alternatives 

After the system has been designed with redundant subsystems 
and other improvements for the sake of reliability, can any more be 
done? Certainly, a lot more can be done in order to operate this 
system in a safe and continuous manner. For each contingency there 
are operating alternatives that can be classified according to 
whether the action to be taken occurs before, immediately prior to, 
during or after the contingency occurs. 

Without naming these actions, let us consider their nature. The 
actions taken before a contingency are either to prevent the con- 
tingency from occuring or to negate (reduce) the damage if the 
contingency occurs. Once the contingency begins to occur, preven- 
tion is out of the question. However both the minimization of 
damage or penalties due to the contingency and the prevention of 
other contingencies are still very important. This can be done by 


placing the system in a safe mode of operation and restoring the 
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system to a normal mode of aie as soon as possible. After the 
contingency has occurred the objectives are similar to the objectives 
of importance during the contingency, namely insuring the system is 
safe or secure with respect to other next contingencies and restoring 
the system to normal as soon as possible. The prevention of con- 
tingencies is quite naturally called "contingency prevention". The 
imposition and relaxation of security constraints to enhance security 
and thus directly influence the effects of the contingency is called 
"contingency control''. The preparation of action to be taken as 
soon as the contingency occurs and during the restoration phase is 
called "contingency eae and these actions are known as 


contingency plans until they are executed. 


Contingency Prevention 

For each contingency the prevention will be different, however 
the method of contingency prevention is similar. Since there are 
usually necessary conditions that must be satisfied before the 
contingency can occur, prevention is directed towards controlling 
these necessary conditions. This may entail control of either the 
environmental conditions, the sequential conditions, the initiating 
conditions or all three. 

If a contingency has no necessary conditions, it can not be 
prevented with any degree of certainty. This is apparent because 
the absence of necessary conditions implies that 1) the prob- 


ability of occurance does not depend on the environment; 1.e., it 
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is an environmentally independent contingency, 2) this contingency 
does not belong to a sequence of events, and 3) an initiating action 
or condition is not necessary. Based on these facts, this type of 
contingency 1s a truly random event that can not be detected or 
predicted until after it has begun to occur. If this contingency 
occurs over a period of time, then it may be possible to terminate 
the contingency before it disrupts the system's structure; i.e., | 
contingency control If it occurs in a very,short period of time, 
then it may be possible to reduce the degree of disruption, by 
implementing a contingency plan. 

Consider a contingency that is not really random, one with 
necessary conditions. The contingency can be prevented by preventing 
one or more of the necessary conditions. For example, if sequential 
peeiiions exist, that is the contingency belongs to a sequence of 
events, then by preventing a preceeding event, the sequence can be 
stopped before the contingency occurs. Often the expected probability 
of occurance increases as the sequential events transpire. When 
this is the case, the preceeding events can be used as a forewarning 
and they can initiate contingency prevention and/or contingency 
control. If the contingency is environmentally dependent, then 
efforts to control the environment will result in either partial or 
total contingency prevention. Total prevention occurs when the 
contingency becomes non-feasible. Partial prevention occurs when 


the probability of occurance decreases. The set of initiating 
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conditions can be considered as a sequential condition, namely the 
sequential event that is just prior to the contingency. The reason 
one should attempt to distinguish the initiating conditions from 
other sequential conditions is: once the initiating conditions have 
occurred, the contingency can not be prevented if all other necessary 
conditions have been satisfied. In addition to this, the initiating 
condition can be used to initiate the immediate actions of the 
applicable contingency plan. 

It may not be possible or profitable to prevent a given con- 
tingency on a permanent basis. If this is so, then one must consider 
contingency control ree contingency planning. 

A special (or familiar) type of prevention is accomplished by 
designing system "interlocks". Interlocks are designed to take 
advantage of either sequential conditions or necessary conditions 
that must occur simultaneously. By adding constraints to the system, 
one can prevent the occurance of one or more of these necessary 


conditions and thereby prevent the contingency from occuring. 


Contingency Control 

After all desirable efforts to prevent a contingency have been 
expended, then one's attention is directed towards totally negating 
the effect of the contingency before it occurs. In order to do this, 
security constraints must be imposed in order to insure that the 


system remains secure with respect to this contingency. 
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In the preceeding section, one form of contingency control was 
mentioned, namely terminating a contingency before it disrupts the 
system's structure. In general, any action taken before or during 
a contingency that attempts to negate the effect of the contingency 
is contingency control. If the contingency control is totally 
effective, then when the contingency occurs, the system will remain 
in a normal mode of operation. It is important to note the diffe- 
rence between prevention and control. When:contingency prevention 
is totally effective, the contingency can not occur. In the case 
of contingency control, the contingency occurs but the system is 
being operated in aieiye manner to insure that the contingency does 
not disrupt the system's structure enough to cause an emergency. 
Thus the key to effective contingency control can be found by 
answering the following questions: ¢an the system be operated in 
alternative modes of operation? If so, can one select an alterna- 
tive mode of operation, in which the contingency under consideration 
will be less disruptive? And finally, are there modes of operation, 
in which the effect of the contingency is totally negated? That 
is, when operating in one of these modes, the contingency will not 
result in an emergency or damage. If it is not possible to totally 
Meeaue the effect of the contingency before it occurs, then preven- 
tion is necessary and if neither total contingency prevention nor 
total contingency control has been impi.emented,.then this contin- 


gency will result in an emergency when it occurs. 
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Now assuming that it will occur and that an emergency will be 
one of the results, it is logical to question how much damage will 
occur. Depending on the actions that are taken after the contingency 
has begun to occur, this damage will vary. Actions taken to mini- 


mize the damage should be part of a contingency plan. 


Contingency Planning 

In many cases, once the contingency begins to occur, some 
structural change is inevitable. In order to minimize the structural 
damage, selected groups of subsystems are quickly isolated from the 
overall system. This 1s accomplished by using fast-acting automatic 
protection devices, such as isolation valves, thermal and electrical 
fuses, circuit breakers and flow diverting devices. The automatic 
protection devices may have priorities, be sequentially ordered, be 
Miterlocked or be the initiating action of other contingencies and/or 
more complicated special protection systems. The purpose of the 
fast-acting automatic protection devices and other immediate actions 
is to reduce the extent of the structural damage, to put the system 
in a safe condition from which known recovery measures can be used 
to restore the system to normal, and to ease the recovery by pre- 
venting the occurance of unnecessary complications. Once the 
immediate actions have been taken and all automatic protection 
devices have actuated, then the system is in a fail-safe condition. 


At this time recovery procedures can be implemented and they include 
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Shifting from a fail-safe condition to the maximum partial load 
condition. That 1s, one would like to restore all undamaged isolated 
subsystems to normal and connect these subsystems in a manner which 
will give the system a partial load capacity. This topology will 
Satisfy the maximum number of customers according to a priority 
listing in which a lower priority consumer will not be satisfied 
until all higher priority consumers, that can be satisfied, have 
been satisfied. As damaged portions of the ‘system are repaired, 
using a priority system of repair these subsystems can be placed in 
service to increase the partial load capacity. In this manner, the 
entire system will STSCI be restored to normal, and will be 
capable of satisfying all the demands on the system. In some 
systems, the best contingency plan may be the plan that can get the 
system back to normal as soon as possible with a minimm amount of 
off-quality product. 

When a contingency plan is needed, it is too late to be developing 
it. Prior to the contingency, the following should be known: the 
least desirable state of the system just prior to the contingency, the 
desired "fail-safe'' condition for this contingency, and the desired 
normal mode of operation after restoration. Through knowledge of the 
system behavior and/or simulation, one can determine the transition 
of the system during the emergency. Without implementing the contin- 
gency plan, this transition begins with the least desirable state of 


the system and ends with the simulated state after the contingency. 








2) 


Then the control problem is to formulate a sequence of actions 
which will cause this transition to terminate in the desired ''fail- 
safe'' condition. As a contingency begins to occur there may be 
doubt as to which contingency is occurring or where it is located. 
This is due to the fact that an initial portion of the transition 
for several different contingencies may be identical. 

This necessitates a set of simple yet decisive diagnostic actions. 
The purpose of these diagnostic actions is to determine the following: 
which contingency is occuring and where it is located? The diagnostic 
actions are usually sequenced according to priorities. Sequential 
priorities can be based on the following facts: 1) There are vital 
subsystems which should be maintained in a normal operating mode as 
long as possible. 2) There is an optimal (minimm) number of diag- 
nostic actions and by taking these in the proper sequence, the 
location will be determined in a minimum amount of time with the 
least amount of disruption to the normal mode of operation. 3) There 
are locations that are more likely to be the location of the contin- 
gency than others. These locations are determined on the basis of 
past performance and system design. 4) Each succeeding diagnostic 
action should depend on the results of preceeding diagnostic actions. 
Diagnostic actions can terminate when either the type and location 
of the contingency are known or when emergency actions are necessary 
to insure that the transition will events at the desired "fail- 


safe'' condition. 
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To increase the time available for diagnosis and correction, 
certain Stationary actions can be taken. The purpose of these 
Stationary actions is to maintain the present state or condition 
without interfering with the diagnosis and allow more time for 
diagnosis. There are conditions beyond which no emergency actions 
exist which can insure a termination at the desired 'fail-safe"' 
condition. Before one of these conditions is reached, emergency 
actions must be initiated and at this time additional diagnostic 
or stationary actions will not be undertaken. Once actions are 
mearen tO Lorce the system into a “fail-safe condition, every action 
is devoted to this end. In Poheten to emergency actions, isolation © 
and safety actions may be necessary to attain the "fail-safe" condi- 
tion. When a "fail-safe'' condition is reached, it must be verified. 
That is, one must determine that the desired condition has been 
reached and that it is a stable and safe condition. For example, a 
point of conditional stability is not acceptable as it is not usually 
safe. 

Additional actions are necessary to take the system from the 
"fail-safe'' condition to a partial load condition. These actions 
are recovery or restorative type actions and can be taken with care 
when time and the situation will permit partial restoration. These 
actions are often the reverse of the diagnostic, isolation and 
safety actions taken during the emergency. As the repairs are 


completed, transitions to other partial load conditions will be 








permitted until the entire system is restored to normal. Since 
recovery actions from various ''fail-safe'' conditions have already 
been planned, the transition from one partial load condition to 
another can be accomplished safely by returning to a "fail-safe"' 
condition and then using these tested pre-planned actions. This 
will eliminate the expense of developing plans between all of the 
various partial load conditions. In addition, the use of existing 
safe procedures for obtaining optimal loading for various partial 
loads demanded during the normal mode of operation will reduce the 


work involved in planning restorative actions. 


Modes of Operation 

As previously mentioned, as the internal structure of a system 
changes the mole of operation changes. This can result in a large 
number of topologies for the larger composite system. Each identi- 
fiable system topology can be considered to be a mode of operation 
for the system. The number of different modes of operation can be 
quite large, in fact, if instead of discrete modes for each sub- 
system, if any one subsystem has a continuous mode of operation 
where the mode can be altered in a continuous manner over a range 
of values, then there will be an infinite number of modes for this 
subsystem and an infinite number of modes for the composite system. 
if one desires to limit the modes and insure that there is a finite 
number of modes, then each continuous range can be divided into a 


finite number of increments. 
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Since this number will be large for a complex system, it is 
worthwhile to consider certain collections (sets) of these modes. 
For security control, a natural partitioning occurs if one considers 
those sets which are separated by the system constraints. Whenever 
the operating and load constraints are satisfied, the system is in 
one of the normal modes of operation. If either a load or an opera- 
ting constraint can not be satisfied, then the system is in one of 
the abnormal modes of operation. There are.three types of abnormal 
modes of operation: a set of alarm modes in which the operating 
constraints. are not satisfied but the load constraints can be satis- 
fied, a set of emergency modes in which neither the operating nor 
the load constraints can be satisfied, and a set of restorative modes 
in which the load constraints can not be satisfied but the operating 
ae caints can be satisfied. This decomposition is natural because 
it is related to the condition of the system prior to, immediately 
prior to, during and after a system emergency. 

In a normal mode the security control effort is devoted to 
contingency prevention and contingency control. In an alarm mode, 
additional security constraints are imposed in order to prevent the 
occurance of other contingencies and to reduce or negate the effect 
of the contingency that has begun to occur. Contingency prevention 
and contingency control for the other contingencies continue as 
before, unless this contingency is one of the necessary conditions 


for another contingency. In an emergency mode or a restorative 
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mode, the contingency has either begun to occur or has occurred and 
the control effort is devoted to the implementation of a contingency 
plan. The security control actions canbe "carried preventarime, 
corrective, emergency and restorative actions corresponding to the 
four sets of modes: normal, alarm, emergency and restorative. 

Of particular interest is the security control actions associated 
with the normal and alarm sets of modes because in these cases it 
1s possible to adjust the operation of the system by the imposition 
(and relaxation) of security constraints to enhance (and degrade) 
@ne security of the system. 

Figure 2-1 depicts pictorially the relationship between the 
various modes of operation and the load and operating constraints 
for some hypothetical system. Security constraints have not been 
shown on this figure. In this figure the normal operating space is 


enclosed by a boundary. 





Figure 2a 








bs. 


In order to remain secure one must operate the system in such a 
manner as to avoid violation of this boundary. Thus there are two 
mutually exclusive and collectively exhaustive subsets of this 
normal operating space (a Secure and an insecure subset). Con- 


ceptually this is shown in Figure 2-2. 
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Waseca “'set of next contingencies" has been chosen the boundary of 
the secure region is fixed. This boundary is made up of the security 
constraints that are associated with a particular "set of next 
contingencies". Ideally one would like to be able to concisely 
enumerate these security constraints. If this can be done then the 
security control problem becomes a constrained optimization problem. 
For the case where the security constraints can not be enumerated, 


then this boundary must be estimated. When pattern recognition is 
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used to determine whether or not a system 1s secure or insecure, the 
pattern recognizer constructs an approximation to this boundary and 
then uses this approximation to determine whether an untested opera- 
ting point lies interior or exterior to this boundary. The opposite 
approach is to exactly determine the boundary by listing the appli- 
cable security constraints. If this can be done, then the trade-off 
between security and performance can be defined exactly. Using this 
trade-off relationship one can determine when to impose and relax 
individual security constraints. This is what is being done by 
operators when they make decisions concerning security and perform- 
ance. The most significant difference is operators make their 
decisions based upon experience rather than the solution of a 
constrained optimization problem. Thus their decisions may not be 
repeatable or consistent, and may vary from one operator to the 
next. 

Now that the alternatives have been described a method of 
selecting which alternative should be implemented must be developed. 
In order to decide this, the cost of the various alternatives must 
be compared. This decision and the associated costs will be the 


Subject of the next chapter. 








CHAPTER ITI 
COST OF SECURITY CONTROL 


In this chapter the decision process for selecting Secunia 
control alternatives will be developed. This decision process 
depends on the costs of these alternatives as well as many other 
factors. One should note the importance of the planning horizon. 
The decision to implement or not implement a security control action 
will depend directly on the planning horizon. For any given con- 
tingency, the total cost will be the sum of the costs due to contin- 
gency prevention, contingency control, and contingency planning. 

Before considering any specific action, one must understand 
how to justify any security control action without specifying whether 
or not it is contingency prevention, contingency control, or contin- 


gency planning. Let L wef be the penalty if a given contingency 
occurs without security control. Let Eee besthe expected frequency 


of occurance for this contingency in a given planning horizon. That 
1s, if one expects the contingency to occur twice within this time 
Meriod, then =, = 2.0. If one expects an occurance once in twice 


this amount of time, then Lee = 0.5. Then the EMV (expected 


monetary value per unit time) of the loss without security control 


1s; 
Pp auld 


TCE ref 


EMV a 
Planning Horizon 
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Note: 


2 oft s 0 


ite more négative the EMV, the Tarver thiesexpce ted Oss sm inte 
the reference value for all security control cost decisions. Any 
@entrol action (preventative, corrective, emergency of wescenammic) 
must reduce this weighted penalty by an amount greater than its 


Seer (per unit time) im order to be justified. Let C, be thevcost 
(per unit time) of the action and EMV, be the expected monetary 


value if the action is taken, then security control is justified 
if and only if the expected gain is greater than the cost of the 
action. 


EMV, z EMV ef > C. 


If the cost of the action and the expected monetary value of the 
loss with the action are considered as variables which will depend 


upon the type of action taken, one can maximize 


EMV 


ae Oyama 51h)" 
a a 


ref 
in order to determine which action to take. 

There are two special cases, namely total contingency preven- 
tion and total contingency control. In each of these cases, the EMV 
becomes zero. In the case of total prevention, it is zero because 
the expected frequency of occurance is reduced to zero. In the 


other case, the penalty is reduced to zero because the contingency 
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has been negated. In both of these cases, the cost (per unit time) 
of the action can be as high as the reference EMV and the justifica- 
tion criterion will still be satisfied. If either can be achieved, 
then a very simple set of Boolean decisions can be used to compare 
the costs with the reference. The result of this decision process 
will be either contingency prevention, control or planning but it 
will not be a combination of the actions. If neither total con- 
tingency prevention nor total contingency control can be imposed, 
then partial actions or contingency planning must be considered. 
When one considers partial actions, a combination may result in 

the greatest reduction of EMV at a minimm cost. 

Thus, the decision process depends upon one's ability to 
evaluate the loss, the expected frequency of occurance, and the 
costs (per unit time) of the actions. As in most realistic deci- 
Sion processes, the EMV can be estimated if there is insufficient 
knowledge of the system to actually calculate the appropriate 
numbers. 


Cost of Contingency Prevention 

Contingency prevention usually requires additional equipment 
to monitor and regulate certain of the system parameters. This 
involves a capital investment and the imposition of additional 
constraints on the system. These constraints are operating con- 
straints, for without them continuous operation may be in jeopardy. 


The cost of the equipment, installation, and operation are fixed 
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costs. Therefore, they do not affect thevoptimizationy eiieseseests 
must be divided over a period of time (the planning horizon). The 
new operating constraint will affect the steady state operating point 
and the performance if this constraint becomes an active constraint. 
If it is active, then the continuous reduction of performance must 
also be divided by the appropriate planning horizon. If it is 
inactive, 1t will not affect the desired steady state operating point, 
however new security constraints may be necessary to insure that 
earsmoperating constraint 7S not violated. “If this isS™required, it 
is Wereinipeney control and the cost (per unit time) of imposing and 
relaxing these security constraints must be considered under contin- 


gency control. 


The Cost of Contingency Control 

The cost associated with contingency control can be calculated 
in a Straightforward manner. Since contingency control requires the 
imposition and relaxation of security constraints, the overall sys- 
tem performance index can be used to calculate the cost. If one 
solves the optimization problem with and without the security con- 
Straints for a given contingency, the corresponding operating points 
will have indices of performance associated with those points. The 
Geet Of contingency control for a given contingency is the difference 
between the performance with and without security constraints. Thus, 
security with respect to each contingency can be evaluated on its 


own merits. 








WN 
bod 


It 1S important to note that the expected frequency of occur- 
ance may vary as a function of the operating point. If this is the 
case, then the decision to implement contingency control for a given 
contingency becomes a dynamic decision-making problem, requiring a 
measurement or estimation of the current operating point. If this 
1s the case, both reference EMV and the action EMV will vary as a 
function of the operating point. This requires that the eonguciey 
control problem be updated and re-evaluated periodically. This is 
a higher stratum feedback mechanism that resembles normal feedback 


control. This will be explained in greater detail in chapter Six. 


Cost of Contingency Planning 

If there is any reason to believe that the contingency will 
occur-and result in damage in spite of efforts to prevent it or 
negate the effect of the contingency, then a contingency plan is 
needed to reduce the penalty (damage). Note that the decision is 
not whether a contingency plan is needed but how elaborate a plan 
can be afforded. 

The actions to be taken can be divided into two types, those 
that depend upon only the contingency and those that depend upon 
the contingency and the operating point of the system. The first 
type constitutes the framework of the contingency plan and the 
Others are appended to this framework according to the situation. 


The cost of the framework actions can be neglected as these actions 


will be taken if the contingency occurs and the damage is to be 
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minimized. It is no more costly to develop them in advance than to 
develop them as the contingency occurs. Usually it is less costly. 
In the case of the second type, the actions can be developed in 
advance for many situations, can be developed in advance for only | 
the worst situation, or can be developed for a few typical situa- 
tions. The necessary simulation and computer programs can be 
developed without working out actions for any particular situation, 
or the planning can be neglected in favor or reliance upon the 
training and ability of the operators. Clearly, a large risk (ex- 
pected frequency of occurance ) and a severe penalty will justify 
more pre-planning and training. The framework actions require very 
little simulation since they are often based upon the macro- 
characteristics of the system. On the contrary, the details of the 
appended actions often require accurate and costly simulations. 
Assume that one can estimate the cost (per unit time) of any portion 
of the contingency plan. Then to justify this portion of the plan 
the EMV must be increased by an amount greater than this cost. 

In conclusion, it iS important to note that if the contingency 
can not be prevented or negated then a loss will occur as a result 
of the contingency. This establishes a reference standard for making 
decisions concerning security control. That is, the weighted penalty 
(EMV of the loss) which will result when there is no security control 
is the reference and to justify any sceamaty control it must reduce 


this weighted penalty and the cost must be less than or equal to the 
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the penalty reduction. This will insure that the sum of the new 
EMV and the total cost is less than or equal to the original 


weighted penalty (the reference EMV). 








CHAPTER IV 
EXAMPLES OF SECURITY CONTROL 


In the next three chapters several examples of security control 
will be presented. The purpose of these examples is to illustrate 
the applicability of security control to familiar industrial situa- 
tions. However, this does not imply that security control is 
limited to industrial systems. The concepts’ developed in this re- 
search can be applied to almost any system. Application appears to 
be easier on those systems to which multi-level control techniques 
have been applied. For these systems, all of the levels of control 
need not be fully developed. This will become more apparent in 
chapter six, where security control is applied to a system previously 
subjected to only direct control. This chapter will describe the 
glass manufacturing process, contingencies that threaten this system 
and areas were security control can be applied. The emphasis is on 
the applicability of security control. Some of the contingency 
control examples have been deferred to a later chapter, where they 
will be discussed in greater detail. 

In Figure 4-1, the glass manufacturing system has been illus- 
trated In a block diagram form. This is, of course, an over- 
Simplified representation. 

As shown, previously ordered raw materials:of acceptable quality 


are received in bulk quantities. Each material has its own peculiar 
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FIGURE 4-1] 








characteristics and hence must be packed, unloaded, processed, 
stored, and mixed in a distinctive way. These raw materials are 
transferred to storage bins, which have been designed to prevent 
contamination, caking and other environmental changes. The raw 
materials are precisely measured as they are removed from storage 
and accurately weighted prior to transfer to the mixer. Upon com- 
pletion of the mixing, the dry batch is transported to intermediate 
Storage and then to the rear of the glass furnace, where it is 
automatically and continuously fed into the melting end of the 
fmumnace. 

The glass fumes separated into two distinct ends, a melting 
end and a working end. A rotating auger is often used to fogd the 
batch mixture into the melting end where it is melted by the roaring 
jets of flame that shoot across the top of the pool of molten glass. 
The melting end is separated from the working end by a bridge wall 
that has a throat at the bottom which allows the properly refined 
and partially cooled glass to flow into the working end. In the 
working end, the glass in a vitreous state cools to the desired 
working or gathering temperatures. While cooling, the bubbles con- 
jimmie to fine out. 

Connected to the working end are numerous forehearths, which 
are used to maintain the glass at the proper temperature for gathering 
and working. Automatic glass feeding machines, utilizing conditioned 


glass from the forehearth, produce gobs of glass of a predetermined 
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size, shape and temperature for the glass working machinery. Glass 
working includes a vast variety of methods and techniques such as 
blowing, pressing, casting, drawing and combinations of these. For 
process control purposes, it is sufficient to recognize that the | 
glass working dictates the desired physical state of the glass en- 
tering the working device and that upon leaving the device the 
physical state of the glass, although changed, is fixed and specified. 
After the glassware is shaped by the glass working machines, it 
is in a semi-finished state and must be either rejected, stored or 
finished. Finishing means cracking the object off, then smoothing 
any rough edges (by grinding and fire polishing) and then annealing 
to remove any unequally strained conditions. In annealing, the 
object is heated in a lehr to some constant temperature in the 
annealing range. At this temperature, most of the strain is relived 
by viscous flow and then the object is slowly cooled in order to 
prevent the introduction of any new strains. ter annealing, the 
glass object may require decoration. Decorative processes include 
etching, sand blasting, cutting, engraving, ervirel sue and various 
methods of coloring the glass with designs. After the decorating 
has been completed, additional firing may be necessary in order to 
make the decoration permanent. After this, the product receives 
its final acceptance (or rejection) inspection. If the glassware 
passes the final inspection, it is packaged and then shipped to the 


ers COMET . 
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The overall objective of the glass manufacturing process is to 
produce glassware according to customer demand (orders). That is, 
produce the required number of each specified type of glassware, on 
or prior to a delivery date. Economically one would like to produce 
the glassware at a minimum cost. Once a production line has been 
set up and started, the glassware will be produced at minimm cost 
if the production line can be kept in continuous operation, and the 
number of rejects can be minimized. The minimization of the per- 
centage of rejects can be accomplished by selecting plant operating 
parameters that maximize throughout subject to quality control con- 
Straints. In order to keep hie PEORNCLTOT line in continuous opera- — 
tion, one must analyse those contingencies that are capable of 
Shutting down the production line. One is definitely interested in 
the contingencies that can damage the production process and thereby 
increase the downtime and the financial.loss occurring as a result 
of this downtime. In addition to these, contingencies that can 
cause the plant parameters to be out of specification (resulting in 
poor quality glass) must be considered. 

The contingencies of particular interest are those which 
jeopardize production, the rate of production or delivery dates. 
Some of the contingencies that have been realistic contingencies 
for the glass manufacturing process can be listed as follows; 

Inventory Outage 


Mixer Failure 
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Constituent Separation 

Batch Hopper Hoist Failure 

Auger Failure 

Glass Tank Contamination 

Glass Tank Leakage 

Loss of a Major Utility 

Loss of Temperature Control 

Stirring Rod Failure 

Loss of Flow Rate Control 

Glass Feeding Machine Failure 

Glass WopeRpNBeNaE Failure 

Conveyor System Failure 

Improper Quality Control 

Loss of the Finished Product 

Removal System 

There are other contingencies which have not been listed. Their 
omission does not imply that they are less significant, only that 
they are less obvious. It is worthwhile to consider each of these 
that have been listed in detail. 

An inventory outage at any point in the production line can 
either halt production or reduce the overall rate of production. 
If the inventory is of a raw material that is common to all glasses 
then all of the glass furnaces could eventually be brought to an 


idle condition. If it is a raw material that is used for only cer- 
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tain specialty glasses, then the outage may only affect one glass 
furnace. There are numerous holding or storage facilities that act 
as surge tanks in the system. However, a sustained outage will 
eventually deplete one or more of these reservoirs. An inventory 
outage is not restricted to raw materials at the batch end of the 
process. For example, if there is an inventory outage of packing 
material used at the output of the system, or a decorating color 
used at an intermediate point on the conveyor system, the stacking 
up of semi-finished and finished products would soon bring the con- 
veyor system to a halt. 

Throughout the glass manufacturing process there are vital 
pieces of equipment. If one is damaged or fails to operate properly 
the process will be brought to a standstill until it can be repaired. 
For example, at the mixing facility there is often only one mixer. 
Behind each furnace is a hoist for moving the batch hoppers into 
position. At the rear of each furnace is an auger for feeding the 
mixer batch into the furance. If any of the previously mentioned 
items fail and can not be replaced or repaired within a certain time 
duration, the glass furnace and all of the production lines being 
fed by that furnace will become idle. Downstream of the furnace 
there are pieces of equipment that are vital to the production line 
in which they are located. For example, after each forehearth is 
a stirring assembly. Feeding each production line is a glass feeding 


machine. Downstream of the glass feeding machine are a whole series 
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of machines, conveyors, motors and other devices that are connected 
in series. Together they constitute the glass working, annealing 
and finishing systems. These systems are connected continuously and 
can be called the conveyor system. Failure of any element in this 
conveyor system would bring the individual line to an idle condition 
and reduce the overall rate of production. This illustrates two dif- 
ferent types of vital pieces of equipment, one which is vital to the 
entire process and the loss of which is capable of reducing the over- 
all production rate to zero and the other which is vital to a paral- 
te} pilisystemot the process and if lost is capable of reducing the 
production rate of Wee Supe euen to zero. 

Continuing with the individual contingencies, the next to be con- 
sidered is product contamination. The most obvious source of con- 
tamination is the introduction of either the wrong materials or the 
wrong amount of materials prior to mixing. If the constituents of 
a dry batch separate, the mixture becomes "unmixed". If this unmixed 
batch is introduced into the furnace, the glass which is produced may 
have cords and seeds. It is possible to introduce a batch hopper 
that was destined for a given furnace into the wrong furnace causing 
the entire contents of the furiace to become contaminated. This 
contingency differs in magnitude from the introduction of the wrong 
materials or contaminates into the batch prior to mixing. Both 
result in bad glass that may not pass the required quality control 


inspections. The other source of contamination is the erosion of 
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the refractory material that is used for the construction of the 
furnace. This erosion not only produces contamination and stones, 
but it can lead to a glass leak. 

There are several contingencies that affect the entire process 
or can occur throughout the process to one degree or another. Al1Ll 
of the system parameters that are being controlled by direct con- 
trollers have certain limits within which these parameters must be 
maintained for either component, system or personnel safety. A 
failure of any one of these control systems constitutes a threat to 
the continuous safe operation of the manufacturing process. In 
addition there are certain utilities which are being used by every 
portion of the process such as electricity, water, gas and air. A 
loss or partial loss of one or more of these utilities can be 
catastrophic to the process. Yet these utilities can be services 
that are provided by an external source, and there is no guarantee 
that they will be provided continuously. 

Now that the most obvious contingencies have been discussed, they 
can be divided into the following categories: inventory outage, 
product contamination, loss of a vital component, loss of a control 
System, and loss of a major utility. 

After studying the glass manufacturing process and its numerous 
disruptive disturbances, one becomes aware of the large number of 
potentially dangerous contingencies that can be -quickly found in any 


industrial process. This is especially true where the performance 
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is directly dependent upon the continuous operation of the process. 
How can these contingencies be handled? In general, there is no 
Simple answer to this question. Each contingency must be analysed 
separately and a determination must be made concerning whether to 
apply contingency prevention, contingency control, contingency 
planning or some combination of the three. That is, one could try 
womprevyent them. If they can occurwanspite of our efforts to 
prevent them, then there are two more alternatives to consider. One 
can insure that the system is secure before the contingency occurs 
and thus insure that the system can continue to satisfy load and 
operating constraints. If the contingency can not be prevented and 
the system can not be made secure with respect to this On RUNG 
then one can be ready to take action to minimize losses as soon as 
the contingency occurs. 

In the glass process as it evolved over the years, many of the 
contingencies that can be prevented, have been prevented by redesign 
of the system. This redesign resulted in the permanent imposition of 
certain constraints. These constraints together with the load (mostly 
quality control) constraints have rigidly fixed most of the system 
parameters. This rigidly controlled system has fewer modes of opera- 
tion and thus fewer alternatives when one considers security control. 
In this and other rigidly controlled systems, security analysis will 
often result in additional preventative measures and contingency plans 


for those contingencies that can not be prevented. Contingency con- 
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trol willbe the exception rather tian the wuleweacmthe sSycten 
already over-constrained by the existing constraints. When a system 
is over-constrained, only a single operating point exists rather than 
a feasible operating space. Security analysis may indicate where 
some of these constraints can be relaxed in order to achieve an 
improvement of either quality or performance. If this can be done, 
then contingency control will be necessary to relax and impose 
security constraints as needed. The glass process yielded examples 
Gueall three methods of security control. The description of the 
application of contingency control to this process will be covered 
in the next chapter, "EXAMPLES OF CONTINGENCY CONTROL". The 
examples of contingency prevention and contingency planning will be 


discussed in this chapter. 


Inventory Outage 

The inventory outage can be prevented. However, the prevention 
requires tying up capital in increases inventories. Rather than 
completely preventing inventory outages, the decision is often made 
to reduce the capital investment in inventories and try to establish 
an inventory level which will insure that the system is secure with 
respect to this contingency, inventory outage. The contingency 
or disruptive disturbance is actually an unexpected demand or a 
delivery failure. The outage is a result of this disturbance. The 


adjustment of this inventory level becomes a trade-off problem be- 
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tween security and performance. This can be handled as a contin- 
gency control problem. In this particular problem, the contingency 
control appears almost as on-line contingency prevention. If the 
contingency is not totally negated, then some form of contingency 


planning will be necessary. 


Product Contamination 

For the most part, product contamination in the glass manufac- 
turing process can be prevented more economically than it can be 
controlled or corrected. Contingency control involves a feedback 
loop that uses quality ‘control information to change the constitu- 
ents being introduced into the glass furnace. Correction after the 
contingency requires shutting down the production line, flushing, 
and restarting the production line. 

Quality control specifications and inspections of the raw 
materials received can preclude the introduction of substandard 
materials into the storage bins. The frequency of quality control 
inspections will differ with each material both because of the 
quantity used and the likelihood of receiving substandard material. 
Realistic specifications will reduce the probability of receiving 
substandard material and thus reduce the number and cost of the 
inspections. 

In the case of contamination introduced by the mixing of the 


wrong materials or the wrong amounts of raw materials, the error 
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is difficult to detect until the finished product 1s giver tinal 
quality control insepctions and tests. Thus, by the time the error 
is detected, the contingency has already occurred. To prevent this 
contingency, the material handling system can be modified to make 

it almost impossible to cause contamination. To assist in this 
effort, a.computer-aided material accounting system could keep track 
of the flow of materials. A periodic automatic auditing would 
detect possible contamination before it could become a serious prob- 
lem. Additional quality control inspections might be initiated or 
requested based on the results of the computer auditing. If the 
contingency occurs and is detected during routine quality control 
inspections of the finished glassware, then a contingency plan need 
only consist of a method of determining if additives can correct the 
Wericiencres of the glass in the furnace. If not , then the pro- 
duction line must be shut down, the furnace emptied and flushed, and 
the line restarted. If so, then the additives must be introduced 
into the furnace and the giassware being produced must be scrapped 
as Cullet until it can pass the quality control inspections. This 
feedback loop has an extremely long time constant. However, by 
introducing a computer into this loop, the materials being introduced 
into the furnace can be altered in response to the quality control 
inspections. This would reduce the number of shutdowns required, 
especially if the contamination is eed Ey increasing. This same 


computer-aided quality control feedback loop can be used to compensate 
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for the contamination introduced by the erosion of the furnace 
refractory materials. 

Contamination resulting from the introduction of a given batch 
into the wrong furnace can be prevented by either using color or 
Shape coded transportation facilities. By using hoppers of either 
different shapes or different sizes, one can make it impossible to 
introduce a hopper into the wrong furnace. This is similar to 
building interlocks to prevent contingencies. An alternative method 
of prevention is the creation of a contained system. Once the 
system is contained, then only the integrity of the boundaries need 
to be maintained. Again a computer-aided transportation system 
can keep track of the movement of materials and assist in maintaining 
the integrity of the boundary. For example, an identification card 
would accompany a batch as it moves through the mixing process and 
then through the plant. The computer would keep account of the 
materials added to the mix. If this mixture was incorrect, a gate 
regulating entry to the rear of the furnace would not open for the 
wrong type of mix. This type of system would be warranted if the 
losses involved in furnace contamination were large enough. In 
certain high quality specialty glasses this is the case, for a con- 
taminated furnace can not be corrected but must be shutdown, flushed 
and restarted. ‘Since the greatest cost is the downtime and the loss 
of production, this can be minimized inf daveiloatme a sequence of 


actions (a contingency plan) to shut down, flush and restart this 
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furnace in a minimum amount of time. 

Contamination caused by batch separation can also be prevented, 
when warranted. Separation occurs because certain necessary condi- 
tions are present, namely agitation and space between constituents. 
The agitation can be reduced and the space nearly eliminated by 
compacting the mixture. If compacted into a shape which would opti- 
mize the melting process, these compacted units could be introduced 
on a continuous basis. The material handling system between the 
mixing facility and the furnace could be redesigned into a continuous 


system to take advantage of these compacted units. 


Loss of a Vital Component 

Some components can be replaced or repaired in a relatively 
Short period of time. If there is an inventory following this type 
of Pomponent and the intentory can be maintained above some minimm 
level, then the overall system can be made secure with respect to 
the loss of this component. 

Contingency prevention for the loss of a component involves 
component upkeep and preventative maintenance. The scheduling of 
maintenance during scheduled downtime is common practice in many 
industries. The unexpected loss of a component indicates that this 
preventative maintenance needs to be re-evaluated. Periodic up- 
dating of maintenance techniques and maintenance schedules is an 


effective means of insuring safe and continuous operation of vital 
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ample of this in the glass manufacturing process is the operation 
of the stirrer assembly that follows the forehearth conditioning 
section. The contingency or disruptive disturbance is an unexpected 
increase in glass viscosity, due to perhaps a loss of temperature 
eontrol in*thesforehearthy By changing the’ speed ofthis stirrer, 
excessive torques can be avoided and stirrer failure can be 
eliminated. 

Many vital components do not have alternative modes of operation 
and in spite of maintenance efforts will eventually fail. To be pre- 
pared for these failures, contingency plans are needed for changing 
the operation of the Cnet ee sed eoeeren of the process, repairing or ° 
replacing the damaged component and restoring the process to normal. 
These contingency plans can include automatic protection devices for 
the individual components as well as the overall process. 

The following is a description of a contingency plan that can 
be implemented by the use of an automatic protection device. Ina 
glass manufacturing process containing a glass pressing machine, 
gobs of molten glass are fed into the female half of a mold by the 
glass feeding machine. The other half of the mold then presses the 
glass into the desired shape. The hot glassware may be subjected to 
additional working and fire polishing before it is removed from the 
mold. Eventually a vacuum device lifts the molded glassware from 
the mold. The mold cools for a short period of time and is returned 


to receive another gob of molten glass. If for any reason the molded 
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glassware 1S not removed, a very serious contingency has occurred. 
The mold is being positioned by an automatic pressing machine. When 
it 1S positioned under the gob chute, the molten gob of glass will 
be deposited in the glassware instead of into an empty mold. Then 
when the pressing action occurs, the mold will be destroyed. In 
this case, contingency prevention entails design improvement and 
etter control of the vacuumlifting device. “in Spite of these 
efforts, the.contingency can still occur. To monitor when it has 
occurred, an optical pyrometer can be installed to view the mold 
cavity after it passes the vacuum lifting device. When the mold is 
empty, one temperature will be aaeonccan When the glassware has 
not been removed, a distinctly higher temperature will be recorded. 
This contingency can be detected before the damage occurs. An 
electrical-mechanical device can be constructed to divert the gob 
chute. Whenever the mold is not empty, the gobs of molten glass 
will be diverted to a cullet hopper. As soon as the glassware has 
been removed, the system can be restored to normal. This can be 
accomplished by operating personnel or by automatic devices which 
neact to a reset signal. The importance of this example is to point 
out that contingency plans can be automated and when this is accom- 
plished, the device which carries out the immediate actions is a 


special purpose automatic protection device. 


Loss of a Control System 


The contingency resulting from a partial or total loss of a 
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control system can be handled by the system designers. Most control 
systems have or can be provided with alternative methods of control. 
The important aspect of this contingency control is that sufficient 
measurement and detection equipment must be installed to indicate 
to operating personnel when a given method of control is inadequate. 
The indication to change the mode of control must be clear and 
decisive. If this is the case, then a well-designed alarm system 
can present the conditions and the alternatives. 

If the dominant response is slow enough, the mode of operation 
can be shifted before the contingency occurs and thus this is a 
form of contingency control. ip sone proeceesses,, Ene Medc Or opera 
tion will be shifted automatically by fast acting automatic protec- 
tion devices. In this case, these devices are automated contingency 
plans. As a control system becomes more complicated, more alterna- 
tives can be provided to handle partial or total failure of that 
control system. The decision of which mode should be selected 
depends on the condition or state of the process and the nature of 
the failure. In order for the system designer to determine whether 
adequate alternatives are available, he can assume that all or any 
portion of the control system can fail and if sufficient means are 
available to carry out the applicable contingency plan, then the 
alternatives are adequate. If the alternatives are not adequate, 
then simulation will indicate the performance of the system in the 


absence of this control system. 
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The simulation will also indicate when a ''fail-safe device" is 
needed. An example of such a device designed for this purpose is 


the provision of automatic ''scrams'' on a nuclear reactor. 


Loss of a Major Utility 

The contingencies that involve the loss of a major utility are 
different in the sense that these utilities are often provided by 
an external system not under the jurisdiction or control of the 
glass manufacturer. It is difficult if not impossible to instrument 
and monitor this external system in order to be able to predict or 
prevent a loss. The effects of this contingency are often catas- 
trophic and compounded due to the lack of experience in handling 
this type of casualty. The loss is usually sudden and without 
warning. Even if a back-up or alternative system is available, it 
1s used after the contingency occurs. Since the loss can not be 
prevented or controlled, the remaining alternative is to provide 
contingency plans that are based on the experience of operating 
personnel and the knowledge of the system designers. The actual 
contingency plans that were required by the glass process for loss 
of a major utility varied from quite simple to extremely complex. 
It may be necessary to automate the more complex plans, either with 
automatic protection devices or a computer system. The proper 


sequencing of actions, timing, and the assignment of customer 
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priority (for the particular utility) are very important aspects of 
these plans. Regardless of how they are carried out, there is a 
sequence of actions to be taken that will minimize losses. 

In summary, this chapter has demonstrated that contingencies 
exist in an industrial system and that security control actions for 
these contingencies can be developed. For each contingency, the 
actions of contingency prevention and contingency planning were 
identified and separated. Contingency control was only applicable 
where the operating space consisted of more than one operating 
point. In those cases, where contingency control could not be 
applied, the single mode of BE cco (operating point) was deter- 


mined by the load and operating constraints on that subsystem. 








CHAPTER V 
EXAMPLES OF CONTINGENCY CONTROL 


In this chapter, emphasis is on examples which have operating 
Spaces rather than a single operating point. An operating space is 
a collection of feasible operating points. When this set has only 
one feasible operating point it will be referred to as a “single 
operating point.'' Contingency control, the'imposition and relaxa- 
tion of security constraints, can be applied to these examples. The 
examples have been chosen to illustrate the concepts of security 
control in a variety of systems. The most significant point to be 
demonstrated is the existence or origin of security constraints and 
the relationship of these constraints to the operating and load 


constraints of a given system. 


Power System Example of Contingency Control 

Let us first consider an example which is typical of those 
systems that can be characterized by a ie network that connects 
a number of sources and a number of sinks. In particular, consider 
the following electrical power distribution network: three sub- 
systems connected through an interconnection, shown in Figure 5-1. 
In this system, subsystems A, B, and C are each individually capable 
of satisfying more than the load demands in their region. The 


purpose of the interconnection is two-fold, economics and security. 
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By buying and selling power between the subsystems, the overall sys- 
tem can be operated more economically. In addition, when one of the 
subsystems 1S experiencing an internal problem, the other subsystems 
can assist by providing power and thus make the overall system less 
susceptible to these disturbances. 

To Clarify the necessity of contingency control for this electri- 
cal power system, consider this system under the following conditions: 
assume the power being produced by subsystems A and C is considerably 
less expensive than the power being produced by subsystem B, and the 
interconnection lines to subsystem B are each capable of carrying 
half of the load demanded of subsystem B. The solution of the 
economic dispatch problem under these assumptions would dictate that 
subsystem B buy all of its power from subsystems A and C and that 
the ne capability of subsystem B be secured. Of course this 
iseanextreme, but.for the purposes of this illustration, it 15 
realistic. Now with the generating capability of subsystem B 
secured, consider the following contingency, loss of a single 
interconnection line to subsystem B. 

Prior to this contingency, conditions were as follows: the 
System was in a normal mode of operation, subsystems A and C were 
providing all of the power to subsystem B, both interconnecting 
lines were loaded to capacity. Immediately after the loss of one 
of the interconnecting lines, the total load being demanded of the 


subsystems A and C will not change. However, all of this load will 
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be demanded over the remaining interconnection line. Since the 
unaffected interconnection line was previously at its capacity, in 
an attempt to carry this load, it will exceed its operating con- 
straints. As soon as the operating constraints have been exceeded, 
the system will be in an alarm condition. If this condition is not 
immediately corrected, damage to the remaining unaffected inter- 
connection line will result. There are two safe alternatives. In 
order to unload this interconnection line, one can either shed loads 
or isolate the line from the rest of the system. Usually the time 
required to shed loads is too long as compared to the time until 
damage occurs. Thus, in most power systems the second alternative 
is carried out. Overloads are handled by fast acting automatic 
protection devices. When the automatic protection devices isolate 
this interconnection line, the total load demanded of A and C will 
be reduced by an amount equal to the loads of subsystem B. All of 
the operating constraints can now be satisfied; however at least 
one of the load constraints can not be satisfied. Unfortunately 
subsystem B has been isolated from the remainder of the system, and 
its generating capability has been secured. The load constraint 
that specifies satisfaction of loads for subsystem B can not be 
Satisfied. Any immediate attempt to restore power to subsystem B, 
without shedding loads, will result in overloading either the 
undamaged interconnection line, the sR: capabilities of 


subsystem A and C or both, depending on how this restoration is 
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attempted. After loads have been shed, subsystem B can be restored 
to a partial load condition. Hours later, when either the genera- 
ting capacity of subsystem B is ready to assume the load, or the 
interconnection line has been repaired, the load constraints on 
subsystem B can be satisfied. 

Were there alternative modes of operation, in which this loss 
could have been prevented? There were many alternative modes. 
Subsystem B could have been operated with its full generating 
capability carrying its own loads. This is the most secure and the 
least economical mode, when one considers only the loss of a single 
tie line. Subsystem B could have been operated at a partial load 
Capacity with or without spinning reserve. As long as the partial 
load plus the spinning reserve was equal to half of the load de- 
manded by subsystem B, the system will be secure with respect to > 
Miers contingency. For this example, the most economical yet secure 
mode of operation would have been to have subsystem B idling with a 
spinning reserve equal to half the load demand of subsystem B. In 
this mode of operation when one of the interconnection lines is 
lost, the generators of subsystem B will be required to immediately 
assume half of the loads of subsystem B, while the remaining half 
1s supplied by A and C over the unaffected interconnection line. 

In stating that this is the most economical yet secure mode, the 
very important question of transient stability of this system was 


not described or investigated. For example, can this particular 
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subsystem be required to change from an idling condition to half 
capacity in a very short period of time? 

The more general problem of security of this power system with 
respect to the loss of a single interconnection line can be deve- 
loped in the following manner. In this example, the notation can be 
Simplified by using vector notation. However, the origin of the 
security constraints for the contingency (loss of a single inter- 
connection line) is not quite as obvious in the vector notation. 


im=order to analyze this system, one can 1solate eacit subsystem. 
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Then for each subsystem I, let 


P. be the power being produced by subsystem I. 
S; be the spinning reserve of subsystem 1. 
Ps be the power being bought from an external 


source by subsystem I. 
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Pos be the power being produced and sold to 


an external subsystem by subsystem I. 


The corresponding costs are 


a the unit cost of producing power internally 

Co3 the unit cost of maintaining spinning reserve 

Cnei the unit cost of buying power 

psi the unit additional cost of the power being 
sold to an external customer (This includes 
the profit plus the cost of distributing this 
power. ) 

C. « Gee: 

pL psi 
the unit cost to an external customer 

C; the total cost of operating subsystem I 


If the load of subsystem I is L; then there are cértaiipre lations 


for each subsystem. 
The load of each subsystem must be satisfied. 


ls Sec 
For this illustration, assume that a subsystem will not buy and sell 
power simultaneously. 


Poi Pei) a 


For systems that buy and sell power simultaneously this constraint 
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will not be applicable. 
Each subsystem has some maximum generating capacity. 
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The sum of the power produced and the spinning reserve of a subsys- 
tem can not exceed the maximum capacity. 
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The total cost of operating subsystem I is equal to the power pro- 
duction costs minus profits from selling power. 
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The maximum power that can be bought or sold is limited by the sum 
total of the capacity of the interconnection lines into subsystem I. 


Poi 8 8 and Poss By 


where 
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and B; 1s the capacity of the j-th interconnection line into sub- 


J 
system I. Each subsystem at full capacity is capable of satisfying 


aS own loads. 


If one considers the optimization for a subsystem without security 
then 
minimize 


Ce. = CeeP. -.C.. Ss +8Gy ee Cees 
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subject to Pa + Pe-weeR oe = eee. 
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In the previous description, the total capacity of the inter- 
connection lines into subsystem B was equal ‘to the capacity of 
subsystem B, and the cost of buying power was much less than the 


cost of producing power. 
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Unfortunately the cost of the power being sold is always greater 
than the cost of producing that same power. 


Gaara SE. 
pi psi pi 


All of the subsystems buy power from the interconnection, which in 
turn buys power from the subsystems that are able to produce power 
must economically. In this example, the interconnection will not 
buy power from subsystem B. Hence the solution to the economic 
dispatch problem will be 


Oe POP, > lemmend So. 10 


and the cost for subsystem B will be Cs : 
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Cp : CyeB Lp 
Any other solution with PR > 0 “on Sp > 0 will result in increased 


costs. Now in order for subsystem B to be secure with respect to 
the loss of either interconnection line an additional security con- 
straint must be added to this set of equations, namely. 


Pe - Sp > 


BB/2 
This will make subsystem B secure with respect to this contingency. 


In this particular case, 1t was assumed that 
Spent een” aay eaea? 

In general, this subsystem security constraint will be of the form 

P/ +S, 3 _- {B55} 
and Bs; 1s the Capacity of the j-th interconnection Jine unto 
subsystem [. 
Now the J-th subsystem is secure with respect to a loss of one of 
its interconnection lines, but what about the remainder of the 
system? If subsystem B were supplying power instead of receiving 
power then there might not be sufficient spinning reserve in the 
remainder of the system to handle this contingency. This can be 


remedied by using another security constraint which insures the 


security of the rest of the system namely. 


r So > Bay 


RAL 
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where 


There are many elements of this example which are present in 
most security control problems. For instance, the following were 
described: operating and load constraints, the optimization prob- 
lem with or without security, the trade-off between security and 
performance, the existence of security constraints to insure 
security, the various modes of operation and their associated 
classes (normal, alarm, emergency, and restorative), and the exis- 
tence of redundant capabilities. Of course, only one contingency 
(that might belong to the set of next contingencies) was considered. 
In the security analysis of a complex system all of the contingencies 
that are in the set of next contingencies must be enumerated and 
then developed in a similar manner. An equally difficult question 
is: how can one decide which contingencies should be in the set of 
next contingencies (those contingencies with respect to which the 
system must be secure)? A thorough and complete analysis of this 
problem for the electrical power system was recently completed by 
Tomas E. Dy-Liacco (12). However instead of finding the security 


constraints for each of the contingencies in the set of next con- 
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tingencies, Dy-Liacco used pattern recognition to identify whether 
or not the system was secure or insecure. Ina sense, the pattern 
recognition scheme constructs a boundary which is an estimate of the 
hypersurface formed by the entire collection of security constraints. 
By constructing this boundary the complex problem of security analy- 
Sis and the enumeration of the individual security constraints can 
be avoided. However, in this approach, only the Boolean answer of 
secure or insecure was available. In many systems, this Boolean | 
answer 1S not only sufficient but 1s the only information needed for 
Sate, Pecure operation of the system. In these or other systems, 
Simulation can be used to predict whether or not any particular 
action or event will cause the system to become insecure. A 
combination of these two approaches can be used. The pattern re- 
cognizer can be used to estimate the boundary based upon the informa- 
tion available. Then, the optimization can be carried out subject 
to the operating and load constraints and also subject to the 
artificial security constraint developed by the pattern recognizer. 
In the next example, security control will be applied to a 
portion of a production line in continuous operation. Recall that 
security control involves three approaches to a contingency (con- 
tingency prevention, contingency control and contingency planning). 
This example will be used only to illustrate contingency control. 
The process to be examined is a portion of the glass manufacturing 


process which was described in chapter four. This example was chosen 
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to illustrate how a system with a single operating point can be 


developed into a system with an operating space. 


Contingency Control in the Glass Manufacturing System 

The portion to be considered for contingency control is tradi- 
tionally called the forehearth. However this consists of four 
distinct sections: a cooling section, a conditioning section, a mixing 
section, and a platinum tube that delivers the conditioned glass to 
the glass feeding device. Typically the cooling and conditioning 
occurs in a covered open channel whose dimensions are about 26 inches 
wide, 6 to 7 inches deep, and 18 feet long. The molten glass enters 
the cooling section at a temperature near 2400 degrees. Cooling is 
controlled by adjusting the burner-flame level and the amount of 
cooling air in the cooling zone. In the conditioning section, the 
walls have electrical heating eléments and the surface of the glass 
can be heated by flames from above. In this section, the cooling 
rate is regulated by the combined use of the burners and the resis- 
tance elements. An attempt is made to deliver the glass to the 
mixing section at a nearly uniform cross-sectional temperature. 
Additional homogenity is achieved by stirring this conditioned 
glass in the mixing section. This glass must then be delivered to 
the glass feeding cevice. Delivery is accomplished via a platinum 
tube. Since this tube may be as long as 150 to 200 inches, it 


provides a final opportunity to finely control the temperature of 
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the glass. In this example, the final conditioning and temperature 
control is achieved byseegulating the, power to six sections ofeclcc- 
trical heating elements which surround the platinum tube. The glass 
is delivered to the glass feeding machine which produces a gob ( a 
discrete mass of molten glass created by intermittently shearing the 
Stream of-glass emerging from the orifice). This gob then free falls 
into a chute and is guided into a mold in the pressing or forming 
machine. 

The glass forming machine needs a gob of a particular size, 
temperature (viscosity), and glass composition. Once the physical 
properties and the composition are specified, then the constituents 
used in the batch mixing process and the techniques of the melting 
and fining process will be specified. Since the rate of operation 
of the forming machinery is fixed by quality control considerations, 
then the shearing frequency will be specified. In order to achieve 
the correct size of the gob, the rate of flow will also be specified. 
That is, if the type of glass, temperature (viscosity), shearing 
frequency and flow rate are controlled at the feeding machine orifice, 
taen the desired gob will be produced. Thus the parameters to be 
controlled in the tube are outlet temperature (viscosity) and flow 
rate. If one considers the glass to have a resistance (impedance) 
to fluid flow then by maintaining a given level of glass in the 
mixing section and by maintaining thie tales impedance across the 


tube Ginlet to outlet), then the flow will be controlled. This 
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impedance is related to the viscosity (temperature) distribution 

in the tube. Traditionally tne axial temperature gradient is main- 
tained approximately constant from the amlet tosthe outletson sume 
dewncomer. In this case, the outlet temperature, the aeralydiseri— 
bution and the inlet temperature are completely specified as soon 

as the desired outlet viscosity and the flow rate are fixed. Thus 
this system has a single operating point. This in turn will specify 
the outlet and inlet temperatures of the mixing section, and thus 
the outlet temperature of the conditioning section. 

the aiitial state of the glass erteming the foréWearth is fixed 
within limits by the melting oa fining process in the glass furnace: 
The final state has been established by working back from the re- 
quired condition at the feeding machine orifice. Now the control 
effort in the cooling and conditioning sections is to regulate the 
state of a parcel of glass as it moves from the entrance of the 
forehearth to the stirring device. 

Consider the downcomer as a subsystem of the overall glass 
process. The inputs are the temperature of the inlet glass, the 
heat added by the electrical heaters, the environment (or ambient 
temperature) and the level of the glass in the stirring section. 
The outputs are the temperature (viscosity) distribution of the 
glass and the flow rate. The process under consideration can be 


depicted as follows: 
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T(O,t) n (x,t) 
T, (x,t) — SYSTEM T(x, t) 
q(x,t) w(t) 
FIGURE 5-3 
where 
me Ost) is the inlet temperature (temperature of the 


glass in the mixing area) 
T, @&,t) is the ambient temperature (temperature adjacent 


to the insulation) 


q(x,t) is the heat added by electrical heaters 
nix, t) TS jplets viscosity of the glass 

tix, t) 1s the temperature of the glass in the tube 
w(t) is the flow rate 


The temperature distribution can be considered as the "operating 
point''. In order to expand from a single mode of operation to an 
Operating Space, one must consider the origin of the specifications 
on the downcomer subsystem. There is a performance index (expressed 
in terms of the system parameters) for the overall glass process. 
Met this be denoted as: 

P = P (system parameters) 
Now in order to maximize performance, each subsystem must operate 
at a desired operating point. For the downcomer subsystem, the 
outlet temperature and the flow rate must be resulated. This will 


result in two load constraints on this system, namely: 
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ane = ie desired 


Ww = w desired 
These load constraints can be satisfied by an infinite number of 
temperature distributions. However, only one temperature distri- 
bution has a constant linear gradient from inlet to outlet. One 
can show that the "volumetric average viscosity" of the glass in. 
the downcomer is inversely proportional to the flow rate. There- 
fore one need only insure that this volumetric average is regulated 
at a constant that is determined by the desired flow rate. This is 
equivalent to regulating the fluid impedance of this fluid. Thus 
by not imposing the constant temperature gradient requirement, there 
will be an infinite number of acceptable temperature distributions 
(operating points). To achieve approximately a linear temperature 
patient and yet allow some flexibility, one can minimize the 
deviation from a desired linear gradient, and still insure that the 
load constraints are satisfied. Before the linear gradient require- 
ment was relaxed, the operating constraints on this system need not 
be expressed because they were redundant. Now one must analyse 
this system for operating constraints. The events that can jeopar- 
dize the operation of this system are the loss of one or more of 
the heaters and/or the loss of control for this process. For 
example, if the power level of any one of the control heaters 
approaches zero, the flow and temperature control will be lost, 


resulting in a poorer quality glass and a reduction in profits. 
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Thus one operating constraint will be 


Og 6, we 


where q; 1s the heat added by the electrical hea tens srewsenomlauen 


section. Similarly, there are operating constraints restricting 


power to below some maximum value. 


This constraint insures that the heater is not lost due to the action 
of an automatic protection device during normal operation. In order 
to be eer the operating and load constraints must be expressed 
in terms of the variables of the operating space (the temperature 
distribution). In the next chapter this system (the downcomer) will 
be developed in more detail to illustrate actual implementation of 
poieansency control. To accomplish this, disruptive disturbances 
that will cause constraint violations need to be enumerated. Then 
corresponding to each of these contingencies, security constraints 
must be developed. Then the operating point can be selected so as 
to be secure with respect to these contingencies. If one considers 
this as a dynamic problem, then the security constraints will be 
relaxed and imposed to achieve the desired degree of security. 
However, the optimization will strive to achieve an operating point 
that is as close as possible to the desired operating point. In 
this manner the trade-off between security and performance can be 


handled as a dynamically constrained optimization problem. 








iS 


Before continuing on this implementation, consider one other 
application to the glass manufacturing process. This example occurs 
mi the stirring area. “At high viscosities, the torques requimed as 
the motor that drives the stirring mechanism can become excessive. 
For optimal performance in stirring the glass, it is desirable that 
me speed"or the’ stirrer be maximized. Yet thestonquesonsthemmotor 
1S proportional to the stirring speed times the viscosity of the 
glass. As the torque increases, either the drive motor will be 
damaged or the stirring mechanism will break. Either of these 
events will bring the production line to a standstill, resulting in 
a large financial loss in addition Comtheweost of repair igs the 
damage and restarting the process. The contingency is an unexpected 
increase in glass viscosity. Traditionally this stirrer is opera- 
ted at a maximum speed and this 1s maintained constant once the 
process has been started. There is a single operating constraint 
and no load constraints on this system. The operating constraint 
States that the stirrer speed times the viscosity must be less than 
some safe value. There are two security control approaches. One 
can implement a form of on-line contingency control. By measuring 
viscosity (or temperature) and then continuously maximizing the 
stirrer speed subject to the operating constraing, the system will 
be secure. As the viscosity increases the speed will automatically 
Meereduced. As a result of reducing the stirrimg speed, the effi- 


ciency of the stirrer will go down. This may be reflected by an 
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increase in the number of rejected pieces of glassware. However 

this small increase in the amount of cullet is less costly than 
shutting down the entire™process. lt ‘there isa aae in the measure 
ment, then an alternative approach is to create a security constraint 
that is more conservative than the operating constraint. If for 
example, one wants to be secure with respect to an unexpected increase 


in viscosity of Any > then for the operating constraint 


n-N<K 


The security constraint is: 


ne N+ Any «~N< K 


where 
N IS ieee oer ehovevetal 
n is the measured viscosity 
Any 1s the contingency 
K is a (safe constant) 


This stirrer will be operated at a speed of 
N(n) = K/(m + Any) 


This example is extremely simple yet it demonstrates the concepts 
of contingency control for a one-dimensional operating space. It 
also demonstrates the fact that the security constraints can coin- 
cide with the operating constraints. This was the case when the 


Viscosity was being measured continuously, or when Any = OF, 
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There are other simpler solutions to this problem, such as the 
installation of slip clutches or circuit breakers to provide auto- 
matic protection. However, this example was presented to illustrate 
the formulation of security constraints for the simplest possible 
case, 1.e., a one-dimensional operating space. 

In these three examples, in order to insure security it was 
necessary to impoSe security constraints. If one were to decide 
that the system must always be secure with respect to these contin- 
gencies then the security constraint might be added to the other 
constraints on a permanent basis. However, if it need only be 
imposed under certain comarca, then provision can be made to 
relax and impose the security constraint in order to affect a trade- 
Orr between security and performance. It must be recognized that 
when the constraint is relaxed and the contingency occurs that there 
will be a penalty, damage and/or a financial loss. 

In the electrical power example, if the contingency occurred and 
the constraint had been imposed, no additional damage or financial 
loss would be experienced. This was also true in both glass examples. 
In the stirrer example, the selection of a security constraint that 
involved both a term representing performance (stirrer speed) and 
a term that was related to the contingency (viscosity) allowed a 
trade-off to be realized in a straightforward manner. In general, 
this will not be the case. The trade-off between security and per- 


formance will not be a simple relationship. 








CHAPTER VI 
IMPLEMENTATION OF CONTINGENCY CONTROL 


In the last chapter, a portion of the glass manufacturing process 
was described in detail. That portion was the downcomer subsystem. 
It was used to demonstrate how an operating space can be created 
from a single operating point. In this chapter, it will be used to 


demonstrate the implementation of contingency control. 


The Downcomer Subsystem 

This part of the glass process can be briefly described as 
follows; glass from the forehearth conditioning section enters a 
mixing area. After being mixed, it flows through a platinum tube 
(the downcomer) to a shearing device. The outlet temperature and 
the flow rate are being “rersucizvasdl by controlling the heat being lost 
to the environment. This control is being accomplished by six 
sections of electrical heaters which regulate the axial temperature 
distribution. Since the shearing device does not regulate flow but 
merely interrupts a continuous stream of molten glass to produce 
gobs of the correct size, then the shearing device can be considered 
external to this system. Thus the system under consideration 1s a 
viscous fluid flowing through a heated metal tube. The following 
assumptions were necessary. The inlet fluid was considered to be 


homogeneous and the distribution of heat added was considered to 
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be piecewise constant. The fluid motion results from a driving force, 
namely the static head developed by the gravitational force on this 
fluid. To fully understand this system it is necessary to develop 


and study a realistic mathematical model. 


The Mathematical Model 

This eyes (melee both heat and mass transfer. By considering 
a differential element and applying Newton's law of motion, the 
equations of motion were developed. The development paralleled that 
given by Long (22). For glass, the only body force of importance 
1s the gravitational force. If one assumes a linear relationship 
between the dynamic stress and the rate of strain and also that the 
glass 1s isotropic, then the resulting equations will be the classi- 


cal equations of a Newtonian fluid. 


3S... 
pdVD"x, =e = ee ay 


- mee 
1 J 
where 
.. = - pé.. - ieee 
S44 Dee =P ROS ne HE SG 
0 = density of the glass 
dV = the incremental volume 
G; = the I-th component of the gravitational force 
a = the I-th conpement of the stress foncespememmnt 


area exerted across the surface normal to the 
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j-th axis on the material pierced by the 


minus j-th axis 


854 = the Kronecker delta 
ON OV. 
e.. = the rate of strain tensor = 1/2 ( ——+t+ ar 
751 ax; aX, 
a the I-th velocity component 
u = the dynamic coefficient of viscosity 
Oo = the divergence of the velocity = £ ae 
1 1 
D = the time rate of change = D/DT 


For the pressures under consideration, the molten glass was con- 
sidered to be incompressible. The equation resulting from the 
requirement that the mass within the differential element be con- 
served was | 

D(pdV) = 0 
Using this, the equations of motion reduce to the Navier-Stokes 
equations for a viscous imcompressible Newtonian fluid. 

By considering an energy balance on this same differential ele- 
ment of glass the accumulation of thermal energy can be equated to 
the net heat transfer into this element. The resulting differential 
equation is as follows: 


1 ee ; 








where 
C, = the specific heat of the glass 
T = the temperature of the glass 
Kk’ = thie veguivalene eccrt lero tro. senor 
conductivity 


The exact solution to this set of four nonlinear partial differen- 
tial equations has not been found. By making additional simplifying 
assumptions certain steady state and one dimensional transient 
problems were solved and studied. These exact solutions were valu- 
able in making engineering approximations and later simulating this 
system. 

For example, if one assumes that the flow is laminar and fully 
developed, then the steady state velocity and temperature distribu- 


tions can be calculated. 


8. -d 2 2 i i 
= —— p _ 7 a ae 
v(r) Au Ce) (r; ig ) i ( a 2 ) 
i 

where 

aS Newton's gravitational constant 

p = the pressure 

Ts the internal radius of the tube 

r = the distance from the centerline 


The average velocity is: 
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a 
- aes 
<v(r)> = Wave = K : vir) dA 


where 
dA =2 mr dr 


A. = the cross-sectional area 


From this one finds 


=) eat 
max avg 


The average velocity is known and is related to the mass flow rate: 


Vave = w/3600 p A. (ft./sec.) 
where 

w = the mass flow rate in I1b/hour 

0 = the density in 1b/cubic foot 


The Navier-Stokes equations were used to develop the parabolic 
velocity distribution (Poiseuille flow). The derivation and impli- 
cations of Poiseuille flow have been summarized by Bird (7). Another 
important result was the relationship between the flow rate and the 
pressure gradient. 

- dp/dx = k, wu 


where 


- 2 
k, = 8/ 36000 A gr, 


This will be valuable in the development of the, load constraints 


for this system. 





al 


Knowing the steady state velocity distribution, one can calculate 
the fully developed steady state temperature distribution. 


2 
Ne ait 3 


T(x,r) = T(x,r;) - aa : : 


sre 
te 4‘r? * 16 


|. 
Ke 


> 


Assuming that the radial heat flux is constant produces some very 
useful results. Specifically, the steady state axial temperature - 
gradient is a constant. Moreover, the axial temperature gradient 
at the wall of the metal tube, the axial Pereeretne gradient at 
the centerline and the axial temperature gradient of the bulk 
temperature (flow-average temperature) are all equal to the same 
constant. This is of particular importance for it justifies the 
attempt to maintain a constant linear temperature gradient for the 
entire length of the downcomer. It also justifies the use of a 
one dimensional simulation of this system. 

In the preceding chapter, this system was depicted as a rela- 
tion between a set of inputs and a set of outputs. Now using the 
assumption that the heat added is piecewise constant, one can deve- 
lop the system as six similar subsystems in series. These subsys- 
tems correspond to the six sections, each having its own heater for 
temperature control. To reduce the dimensionality of this system, 


consider the bulk temperature 


er Ge) ene ele: 
Ta &, t) SO) ee 








where 


sv(r}> & Vave 


ene 


T; 4 (2) be the inlet bulk temperature 
T; (t) be the outlet butk temperature 
n; (t) be the average viscosity of the I-th section 


q,; (t) be the heat added by the electrical heaters for 
the I-th section 


dg; (Ct) be the net heat loss by the glass in the I-th section 
q, ; (t) be the heat loss to ambient in the I-th section 


Assume that the ambient temperature adjacent to the insulation is 


a constant, i . Then each subsystem can be considered as follows: 

at Ty 

| I-th 
Vy oh 
SUBSYSTEM 
1 W 
a 
FIGURE 6-1 

Note that 


AP. / AL. = -ky WwW 


7 
1 


This subsystem can be represented by the following linear approxi- 
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mation, 
i 2) te, 2 i= esl Toci Igi S) 
where 
T; GS) is the LaPlace transform of T; (t) 
Thy of TyGi are the appropriate transfer functions 
dc; GS) is the LaPlace transform of dg; (t) 


In block diagram forn, 


T 





i-l 
WGi 
FIGURE 6-2 
where 
re AL; 2h C) S 
Tp (S) = exp t-y— 2 OF Vy g(POS a 
and 
2 2 
~- pw cee 
1 
PA ena 
i 


This can be approximated by 


Ty; (s) = exp { 2 1+ ee 5 ala 
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Gould (14) discusses the justification of this approximation. 


Where 
Vs 1s the volume of the I-th section 
F 1s the volumetric flow rate 


M, iS the Wass Oi tiewpane. per umes lena 





ay is the specific heat of the wall 
GS is the specific heat of the glass, 
p is the density of the glass 
A. LS las cross-sectional area of the glass 
AL. 1 | “AL. s 
ee) TCE Vayg ORGS OP EV 


ier sophisticated non-linear approximation was suggested by 
Paynter (25 and 10). 

Now that the system has been described; an appropriate mathe- 
matical model has been developed; and a one-dimensional linear 
approximation to this model has been developed, the process can be 
Simulated. This simulation will be necessary in the development of 


the control system. 


Traditional Control 
The traditional control is straightforward. On the direct con- 


trol level, the outlet temperature of each of the six subsystems is 
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being regulated. The set points are determined on the basis of 

the performance of the downcomer and the performance of the overall 
glass manufacturing process. Overall performance determines the 

desired outlet temperature, Te , and the desired flow rate Wy 
Once Ten and On have been specified, then the set points, ie 
1 = 0, 1,2, ---,6, can be selected to optimize the performance of 
the downcomer. There are several alternate measures of downcomer 


performance. For example, one can minimize the electrical heater 


power. This can be expressed as: 
min C' q 
Since Dery aN eaga Tienemat 
ag > ge Tape 222? 


This minimization can be expressed as: 


min d! T 
— 
Subject to 
T65 7 "GD 
w(T.) = 
and 
i SF T._) 
as 0s, ‘Is?*** ? “6s 


An alternate optimization would be to minimize the deviation from a 


linear gradient subject to the requirements that the desired flow 
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rate and the desired outlet temperature be maintained. The multi- 


level decomposition for a traditional control system is shown in 


self Organizing Control 
Adaptive Control 
Oper Zang Commerce. 


Direct Control 


haoure 0-5: 












FIGURE 6-3 


Previously, only direct control had been implemented on the down- 
comer system. Before describing the security control that is 
applicable to this process, the requirement that the desired flow 
rate be maintained needs further development. 

A relationship between the flow rate and the axial pressure 
gradient for steady state fully developed laminar flow in a tube 


was previously given as: 


-dp/dx = k, w n 


For each section this equation becomes 


Ap; = - k, w ns AL. 


But for the entire downcomer, 


ogh + z AP; = 0 
L 
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or 
pgh = ky Ww z rie AL; 
a 
For the case where 
= constant; for all 1 


AL. 
i 


oegh = k, w En 


security Control 

The security control problem is a constrained optimization prob- 
lem where the constraints result from load requirements, operating 
requirements and security requirements. Both optimization problems 
(described in the previous chapter) were considered. The minimiza- 
tion of heater power was quite simple and did not really resemble 
the actual operation of this process. Minimizing the deviation 
from a linear gradient closely approximates how the process is 
actually operated. If one attempts a leasts squares fit to the 
linear gradient, the optimization problem becomes a quadratic 
programming problem. Using Wolfe's technique this quadratic pro- 
gramming problem can be reduced to a special type of linear pro- 
gramming problem. This approach was taken and was found to be 
rather complex and time consuming when one tries to relax and impose 
security constraints. Finally, a curve fitting approach (Kelley's 
(19)) was used to minimize the maximum.deviation from a desired 


curve. Originally the operating space was composed of an infinite 
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number of temperature distributions. By considering the heat added 
to be piecewise constant, this infinite dimensional operating space 
can be replaced by a seven dimensional operating space. Each vector 
consists of seven temperatures, taken at specified intervals along 
the platinum tube. 


T 
T = (Ty, T, Ce ve ) 


To is the bulk inlet temperature and Ts is the bulk outlet tempera- 
ture. I£f Tip is thesdésired baiisetemperature out of the [-th sec 


tion (found by solving a linear algebra problem), then the deviation 
d- eis: 

ioe S 
In this particular implementation, a linear program was used to 
solve the constrained optimization. Therefore the unrestricted 


seven dimensional varible d was considered to be composed of two 


non-negative variables. 


In order to minimize the maximum deviation from the gradient another 
variable was necessary, namely the maximum deviation, D. Using 
these twenty-two variables, the optimization without operating, load 


or security constraints becomes 


min D 
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SuUbReCt EOE Ty * Claes Ty 
d'-1D< 0 
Ge = ie < ae 


The load constraints are a result of the performance of the 


overall glass process. The load constraints are 


Tes = Ten 
and 
h 
sea ate 
‘ 7 °=5 Kaw 


The first load constraint will fix Tec and will be satisfied by any 
continuous temperature distribution that begins with Tp and ends 
with Ten . The second load constraint requires that the average 


viscosity be a constant. This constant is determined by the desired 
flow rate. 

In order to operate this subsystem properly it is desirable that 
the heater power be maintained within certain limits. For example, 
if the power level of any one of the control heaters approaches zero, 
the flow and termperature control will be lost, resulting in a 
poorer quality glass and a reduction in profits. Thus one operating 


constraint will be 


This becomes 


6, * 2G Tg s Oa hay) Tit Ga Sed Fin 
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In a similar manner, there are operating constraints ReStriletime 


power to below some maximm value 


This constraint insures that the heater is not lost due to the action 


of an automatic protection device during normal operation. It 


becomes 
Ua oi Ty + Ogee) Thy s 8) + KUT, 


The third type of operating constraint may result from a restriction 


on the sum of the heater powers. 
oes’ 
1 


In order to be useful in this linear program, each of these load 


and operating constraints must be converted into the form 


T 
ant A. b:. 
jj -5 J 


where A can be <,= or >. For this system, this was accomplished 
and the collection of operating and load constraints was expressed 
as: 


A, To AD 


aes 
In order to illustrate the development of security constraints, 

two contingencies will be analyzed. These are by no means the only 

contingencies pertinent to this example. The first contingency will 


result in a single violation of one of the load constraints. The 
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second will result in violations of both operating and load con- 
straints. The two to be considered are (1) a change in glass level 
in the forehearth and mixing areas and (2) a change in the inlet 
temperature. A large change in forehearth level can be due to 
material being fed into the glass furnace either too fast or too 
Slowly (due perhaps to a faulty auger drive mechanism). A large 
change in downcomer inlet temperature can be due to a failure of the 
forehearth temperature control or the securing of gas to the 
flaming jets that heat the glass in the forehearth. Without analysing 
the cause consider the effect on the downcomer subsystem. 

Any change in either the glass level or the inlet temperature 
will result in a violation of the operating or load constraints. 
This can be demonstrated with the process simulation or by considering 
that 


w = Pama! ns 


Any increase or decrease in level will result immediately in a change 
in flow rate. After an appropriate time delay, the outlet tempera- 
ture increases (decreases) for an increase (decrease) in inlet 
temperature. In each section, as soon as the change in outlet tem- 
perature occurs the controllers react, however there is a lag before 
the effect of the controller is realized. Thus this system still 
can not be made secure with respect to certain contingencies. This 


demonstrates an important point; if a contingency will result in 
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the violation of an equality constraint (load or operating), there 
does not exist a security constraint that will insure security with 
mespect to this contingency. Therefore the load constraimes ciacine 
system must be considered more closely. | 
In reality, there are usually tolerances on the system parameters. 


That is, these system parameters may be allowed to vary as follows: 


Ws $@o Ss a 
min max 

as... <i OP 
6min ~ 6 * 6max 


without any measurable degradation of overall system performance, 
‘or with some acceptable reduction. If this is the case, then the 


migid bead constraints can be relaxed. For example, if 


T " 
dy Ig - b. 


is equivalent to 


: ny (To) = pgh/kowy 


in the linear program, then it can be replaced by: 


a. Ts < by 

a. Ts > dy 

a Ty - dg + dy = b, 
de, ae) 
is een. () 








OS 


and T = T 


6S 6D 


Replaced by; 


fh 2 


6S * “6max 
Tes 2 Temin 
Weg Gy Gi a len 
do - D << Q 
do - D < Q 


In the actual implementation, tolerances on the outlet viscosity were 
_used to generate the maximum and the minimum values for the outlet 
temperature. The system simulation was used to find the corres- 
ponding tolerances on the other temperature set points. Now the 
system can be operated in such a manner to be secure with respect. 


to either an increase or a decrease (but not both) of 


It can be operated so it is simultaneously secure for either an 


increase or a decrease of Ah./2 . This illustrates an important 


point, that the increasing and the decreasing levels are separate 
contingencies and should be treated as such. 
First consider an increase in level. The maximum increase for 


which the system can be made secure is Ah. and for any Ahy < Ah. 


the security constraint to insure that the system is secure with 
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Tespect to Ah, 1S: 
pg Ahy 
ne 
aa 
1 


Similarly for a decrease Ah, , where 


Ah, < Ah. 


there is a security constraint of 


Pg Ahy 


fh) ee ae Tn 
min ky =n; 
i: 


In this case if 


Ah, + Ah > Ah. 


then the system can not be secure with respect to both contingencies. 

In other problems it may not appear as straightforward as this 
example but in essence w is indirectly an element of the operating 
space and the distance from one extreme of the normal portion of 
this operating space to another extreme expressed in terms of 


w 1S w Wn? This distance must be mapped into the contin- 


gency space, of which level is just one element. The corresponding 


distance is Ah. , and this is the maximum change of h for which 


this system can be secure without redefinition of the boundary of 
the normal operating space. Note that there may be a penalty for 


imposing the security constraint. Namely, if 
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then 


ENG < Pw 


T6p) p> Tp? 
and the penalty is the difference 


P(w - Piw, T 


p> Te6p) 6D? 


Now consider the more complicated contingency, a radical change 
in the bulk inlet temperature. Again this should be separated into 
two distinct contingencies, the increase and the decrease. First 
consider an increase in inlet temperature. There are several effects 


of this contingency. It will cause 


4 ee eee bi 


6 6D 


thus violating a load constraint. The other temperatures, T; , along 


the downcomer will increase causing the viscosities to decrease. 
The average viscosity will not be equal to the desired constant and 


the flow rate will increase. 
es 


Since the increasing inlet temperature will result in a decrease in 
the power required by the electrical heaters, one of the heaters 
may approach its lower limit. 

Can the system be made secure with respect to this contingency? 


Poulentioned berore, there are tolerances on wand T : 
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IA 


Ws Ss OW W 
min max 


v6min en ah T 


6max 


aA 


6 


Using either the inverse system relations or the simulation one can 


find out how the distances T ell and w Since. jiyfete) ynit) 


6max 6min max min 
the contingency space. Let the corresponding ranges in inlet tem- 


That 1s AT 


perature be AT and AT OT 


OT Ow” is the maximum change in 
inlet temperature the system can suffer without violating the load 


constraint on the outlet temperature and AT, is the maximum change 


in inlet temperature that will not cause a violation of the load 
constraint on flow rate. The system can be made secure only with 
respect to the smaller change. Before determining this value, the 
change in inlet temperature which will cause a violation of a 


heater constraint must also be calculated. Let these be denoted 


as AT); , L_=1,2,---,02 tite distances im the ecperaeime space 
are: 
a 
Now 
ATp, = min {AT); } te) oO cs 
where ATp. is the maximum increment for which the system can be 


made secure. Suppose one would like to be secure with respect to 


both an increase of ATp; ora decrease of AT py > where 
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AT an est 


OT OD Os 


then the security constraints will be 


icici: } (geste) | 
1 1: J: 
et ee A 9g. Se ee 
1 AT 3 OD ys 1 AT); OI 
. Temax”  6min? i 7 De , emax-"6min? i 
6min AT yp OD 6 6max AT or OT 
(oa) (Wi cmenigiti aay) 
ie . 4 Max min" AT < w< w& = _ max min" AT 
min AT. ‘(10 ~ “max AT). OI 


For this example, one can see that the system can be made secure 
for any increase 


ae < AT 


OI Os 


or any decrease 


AT <a 


OD Os 


and simultaneously secure for either, if 


AT AT 


or * Alon ¢ 41, 


Now that the security constraints have been formulated for the 


contingencies Ah, : Ah, : AToy and AT » the corresponding con- 


straints can be added to the optimization if one wants to be secure 
with respect to one of these contingencies. This implementation 
of contingency control was carried out to the following extent. The 


process was not available for manipulation and study. Therefore, 
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a simulation of the process was developed. It was simulated in six 
sections corresponding to the six heaters and their areas of direct 
influence. Six PID controllers were simulated, added to the process 
Simulation and tuned. These direct controllers responded to errors 
between the sectional outlet temperatures and the temperature set 
points. Optimizations to generate these set points where developed 
for three cases without security control and then for the same three 
cases with security control. These cases were: the minimization of 
heater power, the achievement of a linear gradient based only on a 
desired outlet temperature and flow rate, and the minimization of 
a maximum deviation from a peered flow rate and temperature dis- 
tribution. Security control could not be applied to the second 
case because the operating space consisted of a single operating 
point. The third optimization was the most realistic of the three 
and closely approximated the operation of the actual system. The 
linear programming problem that was used to minimize the maximum 
deviation from a desired flow rate and temperature distribution 
contained fifty two constraints, as follows: 

8 equality constraints 

30 inequality constraints 

14 upper and lower bounds 

Ideally, one would like to close the loop between the system 

and the security controller by calculating the EMV dynamically as 


a function of the present operating point. Sufficient plant 
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operating data was not made available to accomplish this, The per- 
formance function for the overall glass process was assumed to be 
known. In an actual implementation, these would be known and the 
loop could be closed. The overall implementation is shown in block 
diagram form in Figure 6-4. 

It is impossible to illustrate the entire normal operating space 
as 1t actually was, because it was a twenty-four dimensional opera- 
ting space. However by considering only one section and using the 
deviations from the desired input and output temperatures as the 
axis, one can project all of the constraints that affect this 
section onto a two dimensional representation. This 1s shown in 


T, -T 
Figure 6-5. 1s “1d 





< 


FIGURE 6-5 
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This is the operating space as it would be if all other sections 


were operating at their desired operating points. 


The constraints 


are numbered. They correspond to the following load and operating 


constraints: 
Li nee 
“12 WwW << 
L3 Ng 2 
L4 Ng s 
O1 q. 2 
02 q; 


The contingencies and 


the constraints which they can violate (de- 


pending upon the magnitude of the contingency and the present 


operating point) are as follows; 


Contingency 


oi 


a 


Alyy 


AT on 


Constraints 
IEZ 
Ib at 
Ole es 
Zee liliecles 


If one envisions the appropriate security constraints superimposed 


@n Figure 6-4, then it is easy to see how they restrict operation 


to a secure region of this operating space. 


In conclusion, the implementation of contingency control to the 
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glass manufacturing process was a linear programming problem that 
consisted of a minimization of the maximum deviation from a set of 
desired system parameters. This minimization was subject to sys- 

tem constraints, load constraints, operating constraints, and 
security constraints. The system constraints related the desired 
system parameters to the variables of the operating space. The 
Operating and load constraints established the boundary of the 

normal operating space. The security constraints moved the opera- 
ting and load constraints in order to insure security with respect 

to a pe Saiaouareeente a The imposition of security constraints 
Changed only the requirements vector in the linear programming 
problem. The decision as to whether or not to change an element or 

a set of elements of the requirements vector in order to secure was 
made PeaiGccniies in chapter three. For each contingency, the 
optimization was solved with the new requirements vector. This 
would result in a temperature distribution, which was used to cal- 
culate the viscosity distribution and the resultant flow rate. These 
can be used to calculate the reduction in the overall system per- 
formance (or the cost of being secure with respect to this contin- 
gency). This cost can then be compared with the expected improvement 


in the EMV of the damage due to this contingency. 








CHAPTER VIT 
SUI-MARY «AND EXTENSIONS 


Summary 

In this dissertation, a number of things were developed. 
1) Numerous previously unrelated ideas about system security were 
developed into a consolidated set of concepts. 
2) These concepts led to the development of security control actions, 
that could compensate for disruptive disturbances (contingencies). 
3) The Seireepts which were presented serve as the framework for a 
new type of control that involves dynamic decision-making, security 
and performance. With the advent of security control, computers 
Will be able to assist in a dynamic decision making process that is 
presently performed by human operators and process supervisors. 
4) A measure of security that depends on the present operating 
point was presented. This measure was used to decide implementation 
or non-implementation of security control actions. 
5) The cost of security control actions was discussed in order to 
develop the guidelines for justifying security control. 
6) Several examples were presented to demonstrate not only applic- 
ability but details of implementation. 
7) These examples were used to demonstrate the origin of security 
constraints. 


8) One example was developed in sufficient detail to demonstrate 
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the implementation aspects of contingency control. 

9) An operating space was used throughout the thesis instead of 
relating to a state space. This emphasizes the use of variables 
which are already available for the operation and control of a 
system. 

10) The partitioning of the operating space by imposing security 
constraints was demonstrated in the downcomer example. 
11) The use of a linear program for the constrained optimization 
had several advantages. It was a simple and straightforward 
iaenentation. Security decisions could be made based on all of 
the operating variables. Operators tend to concentrate their 
attention on one or two variables which they hope are the most 
Significant variables. The enumeration problem was relatively simple, 
Maeevenly the requirements vector of the linear programming prob- 
lem changed. 

12) The downcomer example demonstrated that processes which are 
presently over constrained can be operated in such a manner to take 
advantage of the tradeoff between security and performance. Tis 
was accomplished by creating an operating space. Then a constrained 
optimization problem selected the best operating point based on 
performance and security. The constraints were directly related to 
tine set of next contingencies. This set was considered fixed, how- 
ever it could have been dynamic without any additional complexity. 


The dynamic case required only that the expected monetary value be 
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expressed as a function of the present operating point. 


Extensions 

It is hoped that the immediate extensions of this research will 
be in the area of application. The application of security control 
leads to a better understanding of the overall system being controlled. 
It can lead to the design of better prevention and protection sys- 
tems. Hopefully in some systems, it will result in an on-line 
implementation of contingency control. In every case where security 
control is to be carefully applaeds themliong Germ cost of operating 
the system will be less. 

In addition, research efforts on security control need .to con- 
tinue. For example, a computer assisted implementation of contin- 
gency: planning could be developed. The diagnostic portion of a 
Peicincency plan can certainly be computerized in order to achieve 
a quick reliable diagnosis of an emergency for a complex system. 

It may be possible to use the same constrained optimization deve- 
loped for contingency control to generate various strategies for 
contingency plans on a given system. The development of a greater 
understanding of related sequential events (the theory of discrete 
events) will assist in the design of better systems for contingency 
prevention. 

As far as systems theory and the theory of control is concerned, 
security control has its own natural decomposition and each section 


of the security controller can interact with the various levels of 








multi-level control. 


is an example of a multi-strata control system. 
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In fact in relation to systems theory, this 


The -tradiguienal 


control with its multi-level decomposition is in the lower stratun. 


The security control is in the other stratum with an entirely 


different decomposition. 


SuUCURETY 
CONTROL 


TRADITIONAL 
CONTROL 










EMERGENCY 


CORRECTIVE 


RESTORATIVE 


PREVENTATIVE 


SELF ORGANIZING 


ADAPTIVE 


GORE 


This is shown in Figure 7-1. 


SECOND 
STRATUM 


FIRST 
STRATUM 
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There 1s no special sequeneemiceessary invondern stosdevelcpetne-c 
two strata. One can easily display examples where one has been 
developed first and the other later or not at all. In other cases, 
it might have been necessary to develop them concurrently even 
though neither strata is completely developed. However, with the 
help of the set of concepts presented in this thesis, both strata 


can now be developed to a greater extent. 
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